{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://stellaops.local/docs/benchmarks/vex-evidence-playbook.schema.json", "title": "StellaOps VEX Proof Bundle", "type": "object", "additionalProperties": false, "required": [ "id", "version", "created_at", "created_by", "graph", "openvex", "justification", "entrypoints", "evidence", "rbac", "reevaluation", "uncertainty", "signatures" ], "properties": { "id": { "type": "string", "description": "Stable proof bundle identifier (URN recommended)." }, "version": { "type": "string", "description": "Semantic version of the bundle payload schema." }, "created_at": { "type": "string", "format": "date-time", "description": "UTC timestamp when the bundle was produced." }, "created_by": { "type": "string", "description": "Issuer of the bundle (service, user, or automation identity)." }, "graph": { "type": "object", "additionalProperties": false, "required": ["hash"], "properties": { "hash": { "$ref": "#/definitions/digest", "description": "BLAKE3-256 (preferred) or SHA-256 hash of the reachability graph." }, "dsse": { "$ref": "#/definitions/dsseRef" }, "revision_id": { "type": "string", "description": "Optional graph revision identifier or CAS key." } } }, "openvex": { "type": "object", "additionalProperties": false, "required": ["path", "statement_id", "canonical_sha256", "canonical_blake3", "serialization"], "properties": { "path": { "type": "string" }, "statement_id": { "type": "string" }, "canonical_sha256": { "$ref": "#/definitions/sha256" }, "canonical_blake3": { "$ref": "#/definitions/blake3" }, "serialization": { "type": "string", "enum": ["canonical-json", "csaf", "cyclonedx"], "description": "Serialization strategy for the OpenVEX payload." } } }, "justification": { "type": "object", "additionalProperties": false, "required": ["id"], "properties": { "id": { "type": "string", "description": "Justification catalog identifier (e.g., VEX1.vulnerable_code_not_present)." }, "dsse": { "$ref": "#/definitions/dsseRef" } } }, "entrypoints": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "required": ["id", "coverage_percent", "negative_tests", "config_hash", "flags_hash"], "properties": { "id": { "type": "string" }, "coverage_percent": { "type": "number", "minimum": 0, "maximum": 100 }, "negative_tests": { "type": "boolean" }, "config_hash": { "$ref": "#/definitions/sha256" }, "flags_hash": { "$ref": "#/definitions/sha256" }, "evidence_links": { "type": "array", "items": { "type": "string" } } } } }, "evidence": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "required": ["type", "cas_uri", "hash", "expires_at"], "properties": { "type": { "type": "string", "enum": ["graph", "coverage", "runtime_trace", "negative_test", "config", "flags", "sbom", "scan", "policy"] }, "cas_uri": { "type": "string" }, "hash": { "$ref": "#/definitions/digest" }, "dsse": { "$ref": "#/definitions/dsseRef" }, "expires_at": { "type": "string", "format": "date-time" } } } }, "rbac": { "type": "object", "additionalProperties": false, "required": ["roles_allowed", "approvals_required"], "properties": { "roles_allowed": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "approvals_required": { "type": "integer", "minimum": 1 }, "enforcement": { "type": "string", "description": "How RBAC is enforced (policy, signer, or both)." } } }, "reevaluation": { "type": "object", "additionalProperties": false, "required": ["on_sbom_change", "on_graph_change", "on_runtime_change"], "properties": { "on_sbom_change": { "type": "boolean" }, "on_graph_change": { "type": "boolean" }, "on_runtime_change": { "type": "boolean" }, "ttl_days": { "type": "integer", "minimum": 1, "description": "Maximum lifetime before forced reevaluation." } } }, "uncertainty": { "type": "object", "additionalProperties": false, "required": ["state", "entropy"], "properties": { "state": { "type": "string", "enum": ["U0-none", "U1-low", "U2-medium", "U3-high"] }, "entropy": { "type": "number", "minimum": 0, "maximum": 1 }, "notes": { "type": "string" } } }, "policy": { "type": "object", "additionalProperties": false, "properties": { "decision": { "type": "string" }, "decision_reason": { "type": "string" }, "openvex_serialization": { "type": "string" }, "canonical_encoding": { "type": "string" } } }, "signatures": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "required": ["type", "key_id", "envelope_digest"], "properties": { "type": { "type": "string", "enum": ["dsse", "jws"] }, "key_id": { "type": "string" }, "sig": { "type": "string" }, "envelope_digest": { "$ref": "#/definitions/sha256" }, "rekor_log_id": { "type": "string" }, "rekor_entry_uuid": { "type": "string" }, "transparency_checkpoint": { "type": "string" } } } } }, "definitions": { "sha256": { "type": "string", "pattern": "^sha256:[A-Fa-f0-9]{64}$" }, "blake3": { "type": "string", "pattern": "^blake3:[A-Fa-f0-9]{64}$" }, "digest": { "type": "string", "pattern": "^(sha256|blake3):[A-Fa-f0-9]{64}$" }, "dsseRef": { "type": "object", "additionalProperties": false, "required": ["path", "sha256"], "properties": { "path": { "type": "string" }, "sha256": { "$ref": "#/definitions/sha256" }, "payload_sha256": { "$ref": "#/definitions/sha256" } } } } }